A website I'm looking at for my colleagues has a parameter which is number|number
Where the likely values will be 1-99|1-999 (e.g. 14|234)
How do I configure burp to try all possible values? (Would this be the intruder tool?)
Burp Newb!
Asked
Active
Viewed 3,271 times
2 Answers
4
You can set up that payload set within the Burp Intruders options.
Just set the payload position in the "Positions" tab in Intruder, and then set the payload type to "Numbers" with your required setup.
For the described scenario with two independent sets for the two positions you should use the "Cluster Bomb" attack type. Then you define two payload sets (one from 1 to 99, the other one from 1 to 999) as described above.
That will iterate through all combinations for payload set 1 while keeping the first element of the second payload set:
1|1
2|1
...
99|1
Then the intruder will choose the next item from payload set 2 and iterate through all of set 1 again until every combination was tested.
1|2
2|2
...
99|999
Edit: Forgot to said that you should also check the "Attack type" in the "Positions" tab to fit it to the request you want to perform. Read about the attack types here: http://portswigger.net/burp/help/intruder_positions.html#attacktype (The attack type is just how Burp is going to handle the payloads in the requests).
Denis
- 3,653
- 2
- 17
- 16
BBerastegui
- 515
- 3
- 9
1
This code will generate those numbers for you. I'm hoping this will help. Thank you.
!/bin/bash
ilotod Shell Nested loop for Burp
for (( i = 1; i <= 100; i++ ))
do
for (( j = 1 ; j <= 1000; j++ ))
do
echo -n $i\ $j & echo
done
done
This snippet will echo those numbers, just run in Cygwin or your Unix shell. Chmod to 755
Gregg Dotoli
- 19
- 4
-
It is good to learn the basic shell, then you may find many of those tools are just UX scripts. – Gregg Dotoli Jan 20 '15 at 17:14